Skip to main content
Blog Post

5 ways to improve enterprise risk management post-pandemic

Risk & Analytics|Corporate Risk Tools and Technology|Insurance Consulting and Technology
COVID 19 Coronavirus|Risk Culture

By Will Bruce | May 25, 2020

In light of the COVID-19 pandemic, how corporations approach enterprise risk management requires a re-assessment.

The response to the global COVID-19 pandemic is directly shaping how corporations view and manage risk. These unprecedented times warrant a re-appraisal of how companies assess uncertainty. Traditional enterprise risk management (ERM) frameworks suffered from shortfalls before the response to the pandemic — primarily the ability to provide tangible value — and now, more than ever before, require a re-assessment.

The following five points highlight common deficiencies in ERM frameworks. Accompanying proposed actions are provided to address each point, presenting opportunities to improve ERM approaches.

  1. 01

    Time horizon

    Typical risk identification and assessment focuses on an annual time horizon, aligned with the corporate reporting calendar. This has constrained appraisal of longer-term threats and opportunities and for some organizations has hindered investment in resilience measures.

    Before the pandemic, this short-term thinking started to change with, for example, investors driving corporations to understand the potential impact of a changing climate to their business models. This emerging practice should become standard in order to ensure corporations focus not just on continuity measures, but on the fundamental sustainability of the business model.

  2. 02


    ERM reporting has suffered from producing risk heat maps that provide little insight or value. While risk reporting may provide assurance on the efficacy of control measures, ERM has often failed to provide insight on the relevance of “high impact, low likelihood” exposures such as the COVID-19 pandemic.

    Determining the extent of focus should be spent on “low likelihood” exposures is difficult to achieve, but due consideration of risk exposures that are considered plausible but unlikely, should ultimately improve resilience if an event were to occur. To reduce vulnerability to shocks, organizations should:

    • Report on risk trends (growing or decreasing in threat)
    • Increase use of scenario analysis
    • Prioritize focus on contingency measures
  3. 03

    Expert judgment

    There has been a reticence in ERM to rely on expert judgment as a form of risk assessment. The use of models and statistical techniques to measure risk has all but usurped any form of judgement, with a common view from risk managers that any form of qualitative assessment is redundant, subjective or erroneous.

    Expert judgment of risk exposures should complement statistical modeling, particularly where historical loss experience and other data is insufficient to build reliable models. With sustainability as the primary goal of ERM, post-pandemic risk managers should view elicitation of expert judgment as a legitimate assessment of risk.

  4. 04


    One of the factors that has contributed to ERM’s lack of perceived value has been a shortfall in pragmatism. All too often risk frameworks are abundant with risk terminology and over- engineered or inflexible processes, leading to stymied engagement in ERM, with a consequential lack of considered input into the process of risk identification and assessment from a wider range of stakeholders.

    Risk guidance, codes, standards, industry bodies and even regulators have not helped this lack of pragmatism, as they encourage practices that read well on paper, but lack commerciality in practice. For example, a risk appetite statement has many beneficial attributes, but rarely in practice has provided value.

    Viewing risk management through a commercial lens should help to re-orient ERM as a valuable discipline to provide foresight and insight. A governance structure that has ERM reporting directly to strategy or finance should help in this regard.

  5. 05

    Risk assessment

    The impact of the pandemic is pervasive throughout an entire business’ operations. ERM tends to focus more on “bottom-up” approaches — using risk control self-assessments — and less on “top down” assessment. Building on the themes above, a shift to greater use of scenario analysis as an assessment technique will help corporations:

    • Focus on those events that matter
    • Engage expert judgement
    • Consider risk correlation and inter-dependency
    • Help assess organizational resilience

Final thoughts

For many, ERM has gradually moved to a state that resembles a negative feedback loop — focus on short-term; reliance on bottom-up controls assurance; abundant technical jargon; lack of commerciality; and reporting that is deficient in insight and value. This has led to difficulty in embedding process and engagement from the business, resulting in ongoing decline in quality in risk reporting.

The measures outlined above should help corporations to place sustainability and value as the primary objectives of ERM. A pragmatic process that elicits expert judgment, is designed with a commercial mindset, and directly supports finance and strategy will create value through insight and foster engagement. This will help organizations place ERM where it was always intentioned to reduce uncertainty and volatility.


Global Head of Enterprise Risk Management, Risk & Analytics

Related Solutions

Contact Us